Actually this is not completely true. If the Certification Lab is also the Validation body, then the Certificate is only limited to the country of Certification release.
Precisely in Germany (among other countries), you can get a EAL 4+ certification from a Laboratory... who's conducting the Evaluation too. They even will write the needed documentation for you if you pay a fee for each day spent.
I've been looking for the entities which are assumed to have delivered the Validation and Certification to Win2K sp3 and couldn't find any described nowhere.
Also the Security Target can be really narrowed down to the minimum you want to get a certificate for. Example: GemPlus got an EAL 5+ on one of their smartcard product. That was major news at that time... only that the only target tested was the code used to load/delete Java applets on one of their Smartcard OSes. The rest of the platform (and it was quite huge compared to these few lines tested) was not in the target. Typical marketting BS. If your whole target is not good enough to get your EAL 4+, then cut it down to what *is* good enough and get your approval...
By the way, the augmentation granted to Win2K sp3 only covers the fact that they will work on patches when new flaws will be unveiled or new bugs discovered. There is no pro-active search of security holes implicated in the level of security level they got.
If you read it completely... Win2Ksp3 is just what we know it to be: just good enough by the time the last Service Pack was released but will soon suffer from new troubles. The EAL Certification is only relevant on the day it's granted, then you need to go all along through the maintenance process.
Rgds,
Julien
Jonathan S. Shapiro wrote:
Context: There are international mutual-recognition treaties covering EAL4 and below, so if you get an EAL4 evaluation in Germany, it's accepted as binding in the US. Above EAL4 there is no mutual recognition.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
